[3308] in WWW Security List Archive
Re: New list?
daemon@ATHENA.MIT.EDU (Ray Kaplan)
Sun Oct 20 12:53:01 1996
Date: Sun, 20 Oct 1996 09:23:33 -0500
From: Ray Kaplan <ray@rayk.com>
In-reply-to: <9610191834.AA31669@etna.ai.mit.edu>
To: www-security@ns2.rutgers.edu
Cc: hallam@ai.mit.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 19 Oct 1996 14:34:59 -0400
writes: hallam@ai.mit.edu
>Does anyone feel like its time to move to creating a new list.
Absolutely
>This
>one seems to be past it.
(universal agreement here)
>I suggest a new list for discussion of the
>following topics :-
>
>1) How to secure a site (Intranet) connected to the Internet
> This would not be restricted to discussion of firewalls since
> the treat that firewalls were originally designed to meet
> was to prevent information leaking _out_ of the company
> rather than prevent trojan horses etc from comming in.
The firewalls list does a good job - how about a refinement - www-related
specifics, perhaps digested and fed to the firewalls list?
> I'm quite involved with router and bridge level filtering
> these days.
As we all are (or should be) to some degree
>2) Safe content types to allow into an Intranet
> Is postscript a risk? Is Java safe? How to block these content
> types.
Yes - but as www-specific discussions. One can get lost in the "general
discussions." Yes, I know it's all part of the same fabric - however, in
the interest of cleaning up this list I vote for a www-specific focus.
>3) Announcements of conferences etc
>
>4) Configuration of various products, discovery of security weaknesses.
> e.g. NCSA server bugs, Netscape crypto foul ups, WNT
> vulnerabilities.
>
>5) Experience of using certification technologies
>
>6) Case studies of attacks against sites.
>
>7) Warnings of attacks in progress (e.g. SYN, mailflood etc).
>
>8) Announcement of new directions in cryptography.
>
Again, only if they are www-specific - else why have a "www..."list in the
first place?
>Off topic :-
>
>1) Discussion of particular viruses, particularly Windows 3.1 and
> MAC. Its a tedious issue for which the only solution is to
> move to a more competent operating system.
Yes, but the world is not moving in this direction. I call it the "Mr.
Rogers syndrome": With top management being insulated from their
exposures, most organizations are "having a nice day in the neighborhood."
The shock of answering the question of what a "more competent operating
system" is can be sufficient to spawn many, tangental discussions. Such
discussions are so beat to death, solutions are quite available, and - most
importantly - the basic principals have been quite well understood for
quite a long time (well over 20 years?) by those who are serious about the
subject.
A fellow consultant tells me that some of the organizations who *have to
be* secure are quite happy with piles of Macs and Windoz of various variety.
I submit that there are vast quantities of literature / practice that tells
you how to use these things securely as part of a fabric that has
sufficient control over connectivity (never mind the kind of connectivity -
each has its' own considrations.)
>2) Crypto politics discussion.
> Been on the net more than a month? You probably know the
> arguments backwards. More talk will do little to change things.
> Annoncements of developments _might_ be appropriate.
Not here. Crypto lists are numerous and widely available as are forums on
Java...
>Overall I would see the "research" angle as being mainly requirements
>capture rather than discussion of security protocol development
Again, fairly widely available. However, the best stuff seems to happen
one-to-one and at the IETF. Take a trip to the next IETF meeting - I think
you will be surpised at how well developed these discussion are. THe
problem is that much (most?) of this sort of discussion is not captured for
"non-security researchers" and that there seems to be no general focus
(idea ahead.)
>I would like the list to mark an advance on the traditional mailing
>list idea. Joining the list would require Web access.
Nope. mail is mail, www is www. Don't get the vehicle and the information
that it carries confused with the subject of discussion.
>There would be
>an online FAQ and resource list. The list would comprise a "digest"
>sumarising the latest developments and accompanying "chat".
Indeed - however, the main problem with this list is that there is no
granularity (idea ahead.)
>As an attempt to increase the signal/noise ratio the idea would be
>to orient the list arround the development of a collection of
>"living documents". These would include the FAQ, resource lists
>etc.
Yep - with sufficient granularity to allow the maintenance of sanity =
multiple mailing lists of the sort that you suggest.
>What I am proposing is something that is more like a cooperative
>publishing house/litterary circle than simply a correspondence
>society.
Yep. However, mail is not mailing lists, is not an FAQ, is not News, is
not the web...
Idea:
Split the list up:
1) Overall = pointers to things such as subsidiary lists that are concerned
ONLY with www. Perhaps this would be the entry point for the novice.
2) Subsidiary lists = topic-specific, perhaps modeled after the
www-security FAQ with additions as needed. In fact, some editions of the
www-security FAQ are www-based and so loaded with excellent links that you
can quickly find 'zackly what you want -- or, as is the tradition, a
plethora of pointers. This would reduce the noise and allow us all to
focus on what we wanted without trying to turn this list (or its
successors) into a duplication of existing things like News...
Taking the global view of the www / Email / News mess, I'd say that all we
need here is:
1) Some structure such as the one I suggested
2) Subsidiary lists (w / digests and subtopic-specific FAQs, perhaps)
3) Some natural progression that does not add NOISE AND HASTLE. Perhaps,
as I suggested, some gross granulatiry such as represented in the major
headings of the www-security FAQ + a novice entry point (and a place where
their questions can be answered?), AND (most importantly) a focus on NOT
duplicating anything that is already out there in other forums.
RayK
